US20030177350A1 - Method of controlling network access in wireless environment and recording medium therefor - Google Patents

Method of controlling network access in wireless environment and recording medium therefor Download PDF

Info

Publication number
US20030177350A1
US20030177350A1 US10/383,729 US38372903A US2003177350A1 US 20030177350 A1 US20030177350 A1 US 20030177350A1 US 38372903 A US38372903 A US 38372903A US 2003177350 A1 US2003177350 A1 US 2003177350A1
Authority
US
United States
Prior art keywords
authentication
password
user
terminal
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/383,729
Inventor
Kyung-Hee Lee
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Assigned to SAMSUNG ELECTRONICS CO., LTD. reassignment SAMSUNG ELECTRONICS CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LEE, KYUNG-HEE
Publication of US20030177350A1 publication Critical patent/US20030177350A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates to a method of controlling access to a network and protecting communication data in a wireless environment. More particularly, the present invention relates to an access controlling method using a combination of a wireless local area network (hereinafter referred to as WLAN) terminal authentication and a user authentication.
  • WLAN wireless local area network
  • WLANs are LANs that transmit and receive data over the air between computers, or between a computer and a communication system other than a computer, without the need for wired connections.
  • WLANS transmit and receive data using radio and infrared electromagnetic airwaves.
  • WLANs have been developed with the recent rapid advancements of Internet services and wireless communication technologies. Because WLANs are easily installed and maintained, they are increasingly used for network connections between buildings and in places where establishing a wired network is difficult, such as in large-scale offices and distribution centers. However, WLANs provide poor security as compared to wired networks because, theoretically, anybody may access the transmission medium.
  • An authentication mechanism in a conventional IEEE802.11b system is classified into two mechanisms, an open-system authentication mechanism and a shared-key authentication mechanism. Only the shared-key authentication mechanism performs authentication using an actual key.
  • the open-system authentication mechanism uses an empty character stream opened upon a WLAN card authentication based on an access point.
  • the access point may be connected to a WLAN card device after unconditionally authenticating the card device, even if the card device does not provide accurate authentication information.
  • the shared-key authentication mechanism a particular character stream proposed by an access point to a WLAN card in a challenge procedure is coded into a predetermined key in a response procedure through a challenge-response communication.
  • a pre-determined shared key is used to code the character stream in the response procedure before resuming communications. Then, the coded character stream may be connected to an access point only if it passes the authentication procedure, thereby obtaining an authentication to be transmitted from the WLAN card to the access point.
  • an IEEE802.11b system a terminal authenticates itself to an access point using a WEP supplied by a media access control (MAC) layer.
  • MAC media access control
  • an IEEE802.11a system may adopt an authentication method using a WEP or a method of defining an authentication protocol in an IEEE802.1X environment identical to or superior to the MAC layer.
  • An authentication protocol using a WEP is based on a challenge-response method using algorithms for challenge and response procedures.
  • a terminal codes a challenge received at an access point using a shared key and a WEP and transmits the code to the access point
  • the access point decodes the challenge using a previously shared key, thereby authenticating the challenger.
  • the authentication protocol using WEP offers no safety against attacks made on a current WEP algorithm.
  • the other authentication method proposed by an IEEE802.11a system is to authenticate a terminal on a level equal to or higher than an MAC layer.
  • This authentication method is based on an authentication protocol using an extensible authentication protocol (EAP) in an IEEE802.1X environment, but requires a concrete authentication protocol in order to perform authentication at a level equal to or higher than the MAC layer.
  • EAP extensible authentication protocol
  • the IEEE802.1X environment does not define a concrete authentication protocol.
  • the proposed concrete authentication protocol could be applied to provide a terminal authentication function.
  • an unauthorized user that acquired a terminal may access a network although he or she is not the original owner of the terminal. Therefore, user access to enterprise networks and public access services must be controlled.
  • Next-generation terminals provide access to several wireless links. When these access points are realized within a terminal, authentications for several wireless accesses are required. In order to receive a mutual exchange service of several wireless accesses, a terminal must support authentication for the mutual wireless access. To achieve this, wireless access techniques require an independent mechanism.
  • a password authentication method is convenient and therefore widely used.
  • general authentication systems using a password provide a low degree of freedom for a user to select a password.
  • a password having a size of k bits is selected, and a probability that each of the k bits is 0 or 1 is 0.5, the k-bit password becomes an arbitrary random key. Guessing the random key means making a list of 2 k random password candidates.
  • random selection is almost impossible, and thus the user is exposed to an off-line password guessing attack.
  • a network access controlling method in a wireless environment including completion of a terminal authentication using a MAC-ID by an access point, inputting of a password P by a user to a password authentication client, completion of authentication of a user by performing authentication between the password authentication client and an authentication server based on the password input by the user, and accessing an external or internal network such as the Internet or an intranet by the terminal, if the terminal authentication and the user authentication are approved, and transmitting an authentication failure message to the user if the terminal authentication and/or the user authentication are not approved.
  • the terminal authentication may be performed in an IEEE802.1X environment.
  • the network access controlling method may further include, if the user is the original possessor of the terminal, after the terminal authentication and before the inputting of the password, assigning the terminal an Internet Protocol (IP) address and downloading the password authentication client from the authentication server.
  • IP Internet Protocol
  • the present invention relates to a method of allowing a user's access to a network through “user authentication in a broad meaning”.
  • the user authentication in a broad meaning may be understood as embracing both a method of controlling a user's access to a network by authenticating the terminal used by the user and a method of authenticating the user.
  • the method of controlling a user's access to a network through terminal authentication is performed in a situation when the user uses his or her dedicated terminal, such as a mobile phone.
  • the user's dedicated terminal has a unique identifier.
  • the network authenticates the terminal using the terminal's unique identifier, allowing the user to access the network.
  • This method provides easy access to the network, with no user participation in the authentication process.
  • network access control using only terminal authentication poses security problems, in that any person acquiring access to the terminal may be allowed to access the network. That is, unauthorized users may access the network through other people's terminals.
  • terminal authentication is based on the identifier of a terminal and therefore, terminal authentication is dependent on the wireless link access technique of the terminal. As a result, terminal authentication is unable to use other wireless link access techniques.
  • user authentication is used to control a user's access to a network by authenticating the user regardless of which terminal the user uses.
  • User authentication has a disadvantage in that the user must undergo an authentication process.
  • user authentication is important in directly authenticating a user who actually accesses a network.
  • user authentication it is possible to authenticate a user regardless of terminals and wireless link access techniques.
  • a feature of the present invention is that user authentication is based on a password known by a user. The present invention provides easy control of network access at a user level.
  • FIG. 1 is a block diagram for illustrating a network access controlling method according to the present invention.
  • FIG. 2 is a flowchart for illustrating a network access controlling method according to the present invention.
  • Korean Patent Application No. 2002-14276 filed on Mar. 16, 2002, and entitled: “Method Of Controlling Network Access In Wireless Environment And Recording Medium Therefor,” is incorporated by reference herein in its entirety.
  • the present invention includes a step of authenticating a terminal possessed by a user and a step of authenticating the user using a password chosen by the user.
  • the main bodies of action which are a terminal, an access point, and an authentication server existing in a network, are required to perform user authentication according to the present invention.
  • FIG. 1 shows the components of a WLAN environment.
  • terminals 100 a and 100 b have MAC protocol stacks 10 a and 10 b (e.g., IEEE802.11), respectively, and have frameworks 20 a and 20 b (e.g., IEEE802.1X), respectively, on a second layer.
  • the MAC protocol stacks 10 a and 10 b are capable of accessing a wireless link, and the frameworks 20 a and 20 b enable authentication of a terminal.
  • the terminals 100 a and 100 b include processors (not shown) for receiving a password from a user and processing the received password.
  • the terminal 100 a and an access point 120 a constitute a first wireless network, and the terminal 100 b and an access point 120 b constitute a second wireless network.
  • the terminals 100 a and 100 b are unable to access a host in a wired network without being authenticated by the access points 120 a and 120 b .
  • the manner in which the access points 120 a and 120 b process packets of the terminals 100 a and 100 b differs depending on where the authentication is performed. For example, in an IEEE802.1X environment, authentication-related packets sent by the terminals 100 a and 100 b are transmitted to an authentication server 140 in the wired network without undergoing authentication by the access points 120 a and 120 b.
  • the authentication server 140 processes authentication messages requested by the terminals 100 a and 100 b , and stores session information from the terminals 100 a and 100 b . Therefore, it is possible to charge a user based on the session information stored by the authentication server 140 .
  • the authentication server 140 stores personal information regarding users and records information regarding services used by the users.
  • reference numeral 150 denotes a portal.
  • n arbitrary large prime number
  • A, B characters representing a user and an authentication server, respectively
  • v a password verifier stored in an authentication server
  • x A , x B arbitrary private keys of a user terminal and an authentication server, respectively
  • c A a confounder of a user terminal, generally long random value
  • h(•) a unidirectional hash function
  • E x (•) a symmetric key coding algorithm in which x is used as a private key. Since x can have an arbitrary length, a coding algorithm having a key of variable size, such as Blowfish [Sch93], may be used for security, and an Advanced Encryption Standard (AES) newly established as a block coding algorithm standard by the U.S. National Institute of Standard and Technology may also be used.
  • AES Advanced Encryption Standard
  • K a session key that is shared by a user and an authentication server and may be used for encryption communications later.
  • a method of controlling user access to a network includes two steps. First, authentication for a terminal is performed. Next, authentication for a user of the terminal is performed using a password, in step 300 . Authentication for the user of a terminal using a password is performed after the following preparatory operations in step 200 .
  • the primitive element g for the mod n is obtained by selecting the arbitrary large prime number n.
  • n and g correspond to information shared by a user terminal and an authentication server.
  • h(•) is a unidirectional hash function.
  • the user transmits the value of the password verifier v to the authentication server via a safe channel.
  • step 300 for network access may be omitted.
  • authentication of a terminal is completed using an MAC-ID in an IEEE802.1X environment.
  • IP Internet Protocol
  • DHCP dynamic host configuration protocol
  • the address of the authentication server is brought up.
  • the authentication server downloads a password authentication client.
  • a user inputs his or her password to the password authentication client.
  • the terminal accesses an external/internal network, such as the Internet or an intranet, after authentication is approved.
  • an external/internal network such as the Internet or an intranet
  • step 300 network access
  • step 200 password registration and preparatory operations
  • the password authentication client produces three random values x A , c A , and r.
  • the password authentication client transmits the values z 1 , y A , and r to the authentication server via an access point.
  • the length of a required key differs according to a symmetric key encoding system used, but the length of a key required by the password verifier may start from the most significant bit (MSB).
  • a required key length starting from the MSB of y B is obtained according to the used symmetric key encoding system.
  • a user may be authenticated by using a password in a WLAN environment. Therefore, regardless of the number of wireless accesses available, a user may be authenticated, thereby allowing a terminal to be authenticated even when it roams over a variety of networks.
  • passwords in the present invention make both user-level management and an inter-technology hand off function possible.
  • Mutual authentication is also possible without a public key infrastructure (PKI).
  • PKI public key infrastructure
  • IKE Internet key exchange
  • IPSec IP security
  • the present invention uses a password-dependent authentication method, so that an authentication system may be easily established without the PKI. Accordingly, authentication by the present invention is efficiently performed.
  • the present invention it is possible to determine whether a user has the same key as that of an authentication server.
  • Communication data protected by the present invention is safe from password attacks worked in a conventional system using a general password.
  • authentication of a terminal and a user are performed independently, thereby adding an extra layer of protection.
  • the present invention provides shared secret information, with which encoding communications are performed.
  • a key known in any session does not include information on a key used in any other session.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A network access controlling method in a wireless environment, including an access point completes authenticating a terminal using an MAC-ID. Next, a user inputs a password to a password authentication client. Then, authentication between the password authentication client and an authentication server is performed based on the input password. Thereafter, the terminal accesses an external/internal network (e.g., Internet/intranet) if the terminal authentication and the authentication based on the password are approved. Otherwise, the terminal transmits an authentication failure message to the user.

Description

    BACKGROUND OF THE INVENTION
  • 1. Field of the Invention [0001]
  • The present invention relates to a method of controlling access to a network and protecting communication data in a wireless environment. More particularly, the present invention relates to an access controlling method using a combination of a wireless local area network (hereinafter referred to as WLAN) terminal authentication and a user authentication. [0002]
  • 2. Description of the Related Art [0003]
  • Generally, WLANs are LANs that transmit and receive data over the air between computers, or between a computer and a communication system other than a computer, without the need for wired connections. WLANS transmit and receive data using radio and infrared electromagnetic airwaves. WLANs have been developed with the recent rapid advancements of Internet services and wireless communication technologies. Because WLANs are easily installed and maintained, they are increasingly used for network connections between buildings and in places where establishing a wired network is difficult, such as in large-scale offices and distribution centers. However, WLANs provide poor security as compared to wired networks because, theoretically, anybody may access the transmission medium. [0004]
  • In this regard, many security services have been developed, such as encryption, access control, authentication, non-repudiation, integrity, etc., all of which are important. However, the authentication function is particularly important when considering quality communication services. In a WLAN, proper authentication is performed prior to encryption and access control. In a public WLAN, authentication with respect to a terminal is necessarily required to provide a WLAN service that charges users. However, in a WLAN system, the security function of a mechanism for authentication using an existing wired equivalent privacy (WEP) protocol does not work against many attacks. [0005]
  • An authentication mechanism in a conventional IEEE802.11b system is classified into two mechanisms, an open-system authentication mechanism and a shared-key authentication mechanism. Only the shared-key authentication mechanism performs authentication using an actual key. The open-system authentication mechanism uses an empty character stream opened upon a WLAN card authentication based on an access point. The access point may be connected to a WLAN card device after unconditionally authenticating the card device, even if the card device does not provide accurate authentication information. In the shared-key authentication mechanism, a particular character stream proposed by an access point to a WLAN card in a challenge procedure is coded into a predetermined key in a response procedure through a challenge-response communication. A pre-determined shared key is used to code the character stream in the response procedure before resuming communications. Then, the coded character stream may be connected to an access point only if it passes the authentication procedure, thereby obtaining an authentication to be transmitted from the WLAN card to the access point. [0006]
  • In an IEEE802.11b system, a terminal authenticates itself to an access point using a WEP supplied by a media access control (MAC) layer. In order to authenticate a terminal to an access point by improving an existing authentication mechanism, an IEEE802.11a system may adopt an authentication method using a WEP or a method of defining an authentication protocol in an IEEE802.1X environment identical to or superior to the MAC layer. [0007]
  • An authentication protocol using a WEP is based on a challenge-response method using algorithms for challenge and response procedures. In this method, when a terminal codes a challenge received at an access point using a shared key and a WEP and transmits the code to the access point, the access point decodes the challenge using a previously shared key, thereby authenticating the challenger. However, the authentication protocol using WEP offers no safety against attacks made on a current WEP algorithm. [0008]
  • The other authentication method proposed by an IEEE802.11a system is to authenticate a terminal on a level equal to or higher than an MAC layer. This authentication method is based on an authentication protocol using an extensible authentication protocol (EAP) in an IEEE802.1X environment, but requires a concrete authentication protocol in order to perform authentication at a level equal to or higher than the MAC layer. The IEEE802.1X environment does not define a concrete authentication protocol. [0009]
  • If the IEEE802.1X environment were to propose a concrete authentication protocol, the proposed concrete authentication protocol could be applied to provide a terminal authentication function. However, in a security service based on terminal authentication, an unauthorized user that acquired a terminal may access a network although he or she is not the original owner of the terminal. Therefore, user access to enterprise networks and public access services must be controlled. [0010]
  • Next-generation terminals provide access to several wireless links. When these access points are realized within a terminal, authentications for several wireless accesses are required. In order to receive a mutual exchange service of several wireless accesses, a terminal must support authentication for the mutual wireless access. To achieve this, wireless access techniques require an independent mechanism. [0011]
  • To authenticate a user, a password authentication method is convenient and therefore widely used. However, general authentication systems using a password provide a low degree of freedom for a user to select a password. When a password having a size of k bits is selected, and a probability that each of the k bits is 0 or 1 is 0.5, the k-bit password becomes an arbitrary random key. Guessing the random key means making a list of 2[0012] k random password candidates. However, when a user selects a password, random selection is almost impossible, and thus the user is exposed to an off-line password guessing attack.
    • SUMMARY OF THE INVENTION
  • In an effort to solve these and other problems, it is a feature of an embodiment of the present invention to provide a network access controlling method having improved security as compared to a conventional method by using both terminal authentication and user authentication in a place requiring authentication as a way of controlling network accesses through a terminal, such as in a wireless local area network service, and a recording medium for storing software codes of the network access controlling method. [0013]
  • To provide this feature of the present invention, there is provided a network access controlling method in a wireless environment, the method including completion of a terminal authentication using a MAC-ID by an access point, inputting of a password P by a user to a password authentication client, completion of authentication of a user by performing authentication between the password authentication client and an authentication server based on the password input by the user, and accessing an external or internal network such as the Internet or an intranet by the terminal, if the terminal authentication and the user authentication are approved, and transmitting an authentication failure message to the user if the terminal authentication and/or the user authentication are not approved. [0014]
  • The terminal authentication may be performed in an IEEE802.1X environment. [0015]
  • The network access controlling method may further include, if the user is the original possessor of the terminal, after the terminal authentication and before the inputting of the password, assigning the terminal an Internet Protocol (IP) address and downloading the password authentication client from the authentication server. [0016]
  • The network access controlling method may further include, as preparatory operations for the inputting of the password P, selecting an arbitrary large prime number n and obtaining a primitive element g for a mod n, the large prime number n and the primitive element g corresponding to information shared by the terminal and the authentication server, selection of the password P and calculation of a password verifier v=g[0017] h(P) by the user, transmittal by the user of the password verifier v to the authentication server via a safe channel, wherein h(•) denotes a unidirectional hash function.
  • In the network access controlling method, performing authentication between the password authentication client and an authentication server may include calculation and storage of the password verifier v=g[0018] h(P) by the password authentication client based on the password P input by the user, production by the password authentication client of three random values, which are a secret key xA of the terminal, a confounder cA of the terminal, and an arbitrary value r, and calculation of a public key yA=gxA of the terminal and a value z1=h(yA, v, cA) using the secret key xA and the confounder cA of the terminal and the password verifier v, transmittal of the calculated values z1 and yA and the arbitrary value r by the password authentication client to the authentication server via the access point, performing storage of the received values z1 and yA and production of a secret key xB of the authentication server by the authentication server to calculate a public key of the authentication server, yB=gxB, calculation of a session key K=yA xB and a value h1=h(r, v, K), by the authentication server based on the received values yA and r, transmittal by the authentication server to the password authentication client of a message z2=Ev(yB, h1), into which the public key yB of the authentication server and the calculated value h1 are encoded by a symmetric key encoding system by using a key derived from the password verifier v, the password authentication client decoding the received message z2 using the symmetric key encoding system based on a decoding key derived from the password verifier v, calculating and storing a session key K=yB xA, calculating h′=h(r, v, K) using the calculated session key, decoding the calculated value h′, and determining if the decoded value h′ is equal to the received value h1, if h′ is not equal to h1, the password authentication client stopping message exchange with the authentication server, and if h′ is equal to h1, the password authentication client transmitting, to the authentication server, a message z3=EyB(cA, K), into which K=yB xA and cA are encoded based on a key induced from the public key yB of the authentication server, the authentication server decoding the received value z3 using a key induced from yB and stopping message exchange with the user authentication client if K=yB xA is not equal to K=AxB, and if K=yB xA is equal to K=yA xB, calculating a value h″=h(yA, v, cA) based on the value yA stored in and the decoded cA, and determining if h″ is equal to z1, and if h″ is equal to z1, approval by the authentication server of a user authentication, and if h″ is not equal to z1, disapproval of the user authentication by the authentication server, wherein Ex(•) denotes a symmetric key encoding algorithm using x as a secret key.
  • The present invention relates to a method of allowing a user's access to a network through “user authentication in a broad meaning”. The user authentication in a broad meaning may be understood as embracing both a method of controlling a user's access to a network by authenticating the terminal used by the user and a method of authenticating the user. [0019]
  • The method of controlling a user's access to a network through terminal authentication is performed in a situation when the user uses his or her dedicated terminal, such as a mobile phone. Obviously, the user's dedicated terminal has a unique identifier. The network authenticates the terminal using the terminal's unique identifier, allowing the user to access the network. This method provides easy access to the network, with no user participation in the authentication process. However, network access control using only terminal authentication poses security problems, in that any person acquiring access to the terminal may be allowed to access the network. That is, unauthorized users may access the network through other people's terminals. Also, terminal authentication is based on the identifier of a terminal and therefore, terminal authentication is dependent on the wireless link access technique of the terminal. As a result, terminal authentication is unable to use other wireless link access techniques. [0020]
  • On the other hand, user authentication is used to control a user's access to a network by authenticating the user regardless of which terminal the user uses. User authentication has a disadvantage in that the user must undergo an authentication process. However, user authentication is important in directly authenticating a user who actually accesses a network. In user authentication, it is possible to authenticate a user regardless of terminals and wireless link access techniques. A feature of the present invention is that user authentication is based on a password known by a user. The present invention provides easy control of network access at a user level.[0021]
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The above features and advantages of the present invention will become more apparent to those of ordinary skill in the art by describing in detail preferred embodiments thereof with reference to the attached drawings in which: [0022]
  • FIG. 1 is a block diagram for illustrating a network access controlling method according to the present invention; and [0023]
  • FIG. 2 is a flowchart for illustrating a network access controlling method according to the present invention.[0024]
    • DETAILED DESCRIPTION OF THE INVENTION
  • Korean Patent Application No. 2002-14276, filed on Mar. 16, 2002, and entitled: “Method Of Controlling Network Access In Wireless Environment And Recording Medium Therefor,” is incorporated by reference herein in its entirety. [0025]
  • The present invention will now be described more fully with respect to the accompanying drawings, in which a preferred embodiment of the invention is shown. This invention may, however, be embodied in different forms and should not be construed as limited to the embodiment set forth herein. Rather, the embodiment is provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. [0026]
  • For user authentication, the present invention includes a step of authenticating a terminal possessed by a user and a step of authenticating the user using a password chosen by the user. Also, the main bodies of action, which are a terminal, an access point, and an authentication server existing in a network, are required to perform user authentication according to the present invention. FIG. 1 shows the components of a WLAN environment. [0027]
  • Referring to FIG. 1, [0028] terminals 100 a and 100 b have MAC protocol stacks 10 a and 10 b (e.g., IEEE802.11), respectively, and have frameworks 20 a and 20 b (e.g., IEEE802.1X), respectively, on a second layer. The MAC protocol stacks 10 a and 10 b are capable of accessing a wireless link, and the frameworks 20 a and 20 b enable authentication of a terminal. The terminals 100 a and 100 b include processors (not shown) for receiving a password from a user and processing the received password. The terminal 100 a and an access point 120 a constitute a first wireless network, and the terminal 100 b and an access point 120 b constitute a second wireless network. The terminals 100 a and 100 b are unable to access a host in a wired network without being authenticated by the access points 120 a and 120 b. The manner in which the access points 120 a and 120 b process packets of the terminals 100 a and 100 b differs depending on where the authentication is performed. For example, in an IEEE802.1X environment, authentication-related packets sent by the terminals 100 a and 100 b are transmitted to an authentication server 140 in the wired network without undergoing authentication by the access points 120 a and 120 b.
  • The access points [0029] 120 a and 120 b are required to access a wired network by a wireless access, and send an authentication-related packet using a password, which is used in the present invention, to the authentication server 140 in the wired network without any processing. In an IEEE802.1X environment, it is possible for an access point to simply perform an authentication server function, or to transmit an authentication-related packet to an authentication server while an authentication server in a LAN is assigned to perform a local authentication function.
  • The [0030] authentication server 140 processes authentication messages requested by the terminals 100 a and 100 b, and stores session information from the terminals 100 a and 100 b. Therefore, it is possible to charge a user based on the session information stored by the authentication server 140.
  • That is, the [0031] authentication server 140 stores personal information regarding users and records information regarding services used by the users.
  • In FIG. 1, [0032] reference numeral 150 denotes a portal.
  • Basic operations and parameters required to authenticate a user using a password are as follows. [0033]
  • n: arbitrary large prime number [0034]
  • g: primitive element for mod n [0035]
  • P: user's password [0036]
  • A, B: characters representing a user and an authentication server, respectively [0037]
  • v: a password verifier stored in an authentication server [0038]
  • x[0039] A, xB: arbitrary private keys of a user terminal and an authentication server, respectively
  • y[0040] A, yB: arbitrary public keys of a user terminal and an authentication server, respectively. Here, yA=gxA, and yB=gxB (where the uses of xA and yA are slightly different from those of a private key and a public key, respectively, which are used in a general public key coding system).
  • c[0041] A: a confounder of a user terminal, generally long random value
  • h(•): a unidirectional hash function [0042]
  • E[0043] x(•): a symmetric key coding algorithm in which x is used as a private key. Since x can have an arbitrary length, a coding algorithm having a key of variable size, such as Blowfish [Sch93], may be used for security, and an Advanced Encryption Standard (AES) newly established as a block coding algorithm standard by the U.S. National Institute of Standard and Technology may also be used.
  • K: a session key that is shared by a user and an authentication server and may be used for encryption communications later. [0044]
  • Referring to FIG. 2, a method of controlling user access to a network according to an embodiment of the present invention, includes two steps. First, authentication for a terminal is performed. Next, authentication for a user of the terminal is performed using a password, in [0045] step 300. Authentication for the user of a terminal using a password is performed after the following preparatory operations in step 200.
  • [[0046] Step 200 for password registration and preparatory operations]
  • First, the primitive element g for the mod n is obtained by selecting the arbitrary large prime number n. Here, n and g correspond to information shared by a user terminal and an authentication server. [0047]
  • Next, a user selects his or her password P and calculates the password verifier v=g[0048] h(P). As described above, h(•) is a unidirectional hash function.
  • Thereafter, the user transmits the value of the password verifier v to the authentication server via a safe channel. [0049]
  • A process in which the user acquires a terminal for the first time and gains authentication from the authentication server will now be described. If the user is not the first user in a certain domain, the fourth sub-step in [0050] step 300 for network access may be omitted.
  • [[0051] Step 300 for network access]
  • In the first sub-step, authentication of a terminal is completed using an MAC-ID in an IEEE802.1X environment. [0052]
  • In the second sub-step, an Internet Protocol (IP) address is allocated using a dynamic host configuration protocol (DHCP) server or the like. [0053]
  • In the third sub-step, the address of the authentication server is brought up. [0054]
  • In the fourth sub-step, the authentication server downloads a password authentication client. [0055]
  • In the fifth sub-step, a user inputs his or her password to the password authentication client. [0056]
  • In the sixth sub-step, authentication between the password authentication client and the authentication server is completed based on the password input by the user. [0057]
  • In the seventh sub-step, the terminal accesses an external/internal network, such as the Internet or an intranet, after authentication is approved. [0058]
  • Hereinafter, the sixth sub-step of step [0059] 300 (network access) will be described in greater detail. Step 200 (password registration and preparatory operations) must be performed before the sixth sub-step for authentication.
  • In the sixth sub-step, first, the password authentication client calculates a password verifier v=g[0060] h(P), based on a password P input by the user.
  • Second, the password authentication client produces three random values x[0061] A, cA, and r.
  • Third, y[0062] A=gxA and z1=h(yA, v, cA) are calculated using the produced random values.
  • Fourth, the password authentication client transmits the values z[0063] 1, yA, and r to the authentication server via an access point.
  • Fifth, the authentication server stores the received values z[0064] 1 and yA and produces a random value xB to calculate yB=gxB.
  • Sixth, the authentication server calculates a session key K=y[0065] A xB and a value h1=h(r, v, K), based on the received values yA and r.
  • Seventh, the authentication server transmits to the password authentication client a message z[0066] 2=Ev(yB, h1), into which the public key yB of the authentication server and the calculated value h1 are encoded by a symmetric key encoding system by using a key derived from the password verifier v of the user. Here, the length of a required key differs according to a symmetric key encoding system used, but the length of a key required by the password verifier may start from the most significant bit (MSB).
  • Eighth, the password authentication client decodes the received encoded message z[0067] 2 using the symmetric key encoding system based on a decoding key derived from the password verifier v of the user, and calculates and stores a session key K=yB xA. Thereafter, the password authentication client calculates a value h′=h(r, v, K) using the calculated session key and determines if the calculated value h′ is equal to the received value h1. If h′ and h1 are not equal, the password authentication client stops a message exchange with the authentication server.
  • Ninth, if h′ and h[0068] 1 are equal, the password authentication client transmits, to the authentication server, a message z3=EyB(cA, K), into which K=yB xA and CA are encoded based on a key derived from the public key yB of the authentication server. A required key length starting from the MSB of yB is obtained according to the used symmetric key encoding system.
  • Tenth, the authentication server decodes the received z[0069] 3 using a key derived from yB and determines if K=yB xA is equal to K=yA xB. If K=yB xA is not equal to K=yA xB, the authentication server stops a message exchange with the user authentication client. If K=yB xA is equal to K=yA xB, the authentication server calculates a value h″=h(yA , v, c A) based on yA stored in the fifth step and the decoded cA and determines if h″ is equal to z1. If h″ is equal to z1, the authentication server transmits a user authentication success message to the password client. If h″ is not equal to z1, the authentication server transmits a user authentication failure message to the password client.
  • After authentication between the password authentication client and the authentication server is completed, new secrete information enabling encryption communications are shared by the user and the authentication server. [0070]
  • As described above, by the present invention, a user may be authenticated by using a password in a WLAN environment. Therefore, regardless of the number of wireless accesses available, a user may be authenticated, thereby allowing a terminal to be authenticated even when it roams over a variety of networks. [0071]
  • The use of passwords in the present invention, as opposed to conventional management using a media access control identifier (MAC-ID), makes both user-level management and an inter-technology hand off function possible. Mutual authentication is also possible without a public key infrastructure (PKI). An Internet key exchange (IKE), which is an authentication protocol used in IP security (IPSec), depends on the PKI or an equivalent in order to authenticate an opposite party. However, the present invention uses a password-dependent authentication method, so that an authentication system may be easily established without the PKI. Accordingly, authentication by the present invention is efficiently performed. [0072]
  • According to the present invention, it is possible to determine whether a user has the same key as that of an authentication server. Communication data protected by the present invention is safe from password attacks worked in a conventional system using a general password. In the present invention, authentication of a terminal and a user are performed independently, thereby adding an extra layer of protection. Further, after authentication of a terminal and a client, the present invention provides shared secret information, with which encoding communications are performed. Finally, in the method of the present invention, a key known in any session does not include information on a key used in any other session. [0073]
  • A protocol for mutual authentication and key exchange between a user and an authentication server, according to the present invention, mainly performs a hash function and a symmetric encoding algorithm except when each host performs modular exponentiation one time to achieve a Diffe-Hellman key exchange. Thus, fast authentication and key exchange are realized. [0074]
  • Preferred embodiments of the present invention have been disclosed herein and, although specific terms are employed, they are used and are to be interpreted in a generic and descriptive sense only and not for purpose of limitation. Accordingly, it will be understood by those of ordinary skill in the art that various changes in form and details may be made without departing from the spirit and scope of the present invention as set forth in the following claims. [0075]

Claims (10)

What is claimed is:
1. A network access controlling method in a wireless environment, the method comprising:
(a) completion of a terminal authentication using a MAC-ID by an access point;
(b) inputting of a password P by a user to a password authentication client;
(c) completion of authentication of a user by performing authentication between the password authentication client and an authentication server based on the password P input by the user; and
(d) accessing an external or internal network such as the Internet or an intranet by the terminal if the terminal authentication and the user authentication are approved, and transmitting an authentication failure message to the user if the terminal authentication and/or the user authentication are not approved.
2. The network access controlling method as claimed in claim 1, wherein (a) is performed in an IEEE802.1X environment.
3. The network access controlling method as claimed in claim 1, further comprising, if the user is the original possessor of the terminal, between (a) and (b):
assigning the terminal an Internet Protocol (IP) address; and
downloading the password authentication client from the authentication server.
4. The network access controlling method as claimed in claim 1, further comprising as preparatory operations for (b):
(b-1) selecting an arbitrary large prime number n and obtaining a primitive element g for a mod n, the large prime number n and the primitive element g corresponding to information shared by the terminal and the authentication server;
(b-2) selection of the password P and calculation of a password verifier v=gh(P) by the user; and
(b-3) transmittal by the user of the password verifier v to the authentication server via a safe channel,
wherein h(•) denotes a unidirectional hash function.
5. The network access controlling method as claimed in claim 1, wherein (c) comprises:
(c-1) calculation and storage of the password verifier v=gh(P) by the password authentication client based on the password P input by the user;
(c-2) production by the password authentication client of three random values, which are a secret key xA of the terminal, a confounder cA of the terminal, and an arbitrary value r, and calculation of a public key yA=g xA of the terminal, and a value z1=h(yA, v, cA) using the secret key xA and the confounder cA of the terminal and the password verifier v;
(c-3) transmittal of the calculated values z1 and yA and the arbitrary value r by the password authentication client to the authentication server via the access point;
(c-4) performing storage of the received values z1 and yA and production of a secret key xB of the authentication server by the authentication server to calculate a public key of the authentication server, yB=gxB;
(c-5) calculation of a session key K=yA xB, and a value h1=h(r, v, K), by the authentication server based on the received values yA and r;
(c-6) transmittal, by the authentication server to the password authentication client, of a message z2=Ev(yB, h1), into which the public key yB of the authentication server and the calculated value h1 are encoded by a symmetric key encoding system by using a key derived from the password verifier v;
(c-7) the password authentication client decoding the received message z2 using the symmetric key encoding system based on a decoding key derived from the password verifier v, calculating and storing a session key K=yB xA, calculating a value h′=h(r, v, K) using the calculated session key, decoding the calculated value h′, and determining if the decoded value h′ is equal to the received value h1;
(c-8) if h′ is not equal to h1, the password authentication client stopping message exchange with the authentication server, and if h′ is equal to h1, the password authentication client transmitting, to the authentication server, a message z3=EyB(cA, K), into which K=yB xA and cA are encoded based on a key derived from the public key yB of the authentication server;
(c-9) the authentication server decoding the received value z3 using a key derived from yB and stopping message exchange with the user authentication client if K=yB xA is not equal to K=yA xB, and if K=yB xA is equal to K=yA xB, calculating a value h″=h(yA , v, c A ) based on the value y A stored in (c-4) and the decoded cA, and determining if h″ is equal to z1; and
(c-10) if h″ is equal to z1, approval by the authentication server of a user authentication, and if h″ is not equal to z1, disapproval of the user authentication by the authentication server,
wherein Ex(•) denotes a symmetric key encoding algorithm using x as a secret key.
6. A computer readable recording medium that stores a computer program for executing the method claimed in claim 1.
7. A computer readable recording medium that stores a computer program for executing the method claimed in claim 2.
8. A computer readable recording medium that stores a computer program for executing the method claimed in claim 3.
9. A computer readable recording medium that stores a computer program for executing the method claimed in claim 4.
10. A computer readable recording medium that stores a computer program for executing the method claimed in claim 5.
US10/383,729 2002-03-16 2003-03-10 Method of controlling network access in wireless environment and recording medium therefor Abandoned US20030177350A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR2002-14276 2002-03-16
KR1020020014276A KR100883648B1 (en) 2002-03-16 2002-03-16 Method of access control in wireless environment and recording medium in which the method is recorded

Publications (1)

Publication Number Publication Date
US20030177350A1 true US20030177350A1 (en) 2003-09-18

Family

ID=27764648

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/383,729 Abandoned US20030177350A1 (en) 2002-03-16 2003-03-10 Method of controlling network access in wireless environment and recording medium therefor

Country Status (6)

Country Link
US (1) US20030177350A1 (en)
EP (1) EP1345386B1 (en)
JP (1) JP3863852B2 (en)
KR (1) KR100883648B1 (en)
CN (1) CN1206838C (en)
DE (1) DE60313910T2 (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054798A1 (en) * 2002-09-17 2004-03-18 Frank Ed H. Method and system for providing seamless connectivity and communication in a multi-band multi-protocol hybrid wired/wireless network
US20040255154A1 (en) * 2003-06-11 2004-12-16 Foundry Networks, Inc. Multiple tiered network security system, method and apparatus
US20060059538A1 (en) * 2004-09-13 2006-03-16 Xcomm Box, Inc. Security system for wireless networks
US7024690B1 (en) * 2000-04-28 2006-04-04 3Com Corporation Protected mutual authentication over an unsecured wireless communication channel
US20060080534A1 (en) * 2004-10-12 2006-04-13 Yeap Tet H System and method for access control
US20070174906A1 (en) * 2005-11-15 2007-07-26 Credant Technologies, Inc. System and Method for the Secure, Transparent and Continuous Synchronization of Access Credentials in an Arbitrary Third Party System
US20070260882A1 (en) * 2004-11-04 2007-11-08 David Lefranc Method for Secure Delegation of Calculation of a Bilinear Application
US20090260083A1 (en) * 2003-05-21 2009-10-15 Foundry Networks, Inc. System and method for source ip anti-spoofing security
US20090265785A1 (en) * 2003-05-21 2009-10-22 Foundry Networks, Inc. System and method for arp anti-spoofing security
US20100223654A1 (en) * 2003-09-04 2010-09-02 Brocade Communications Systems, Inc. Multiple tiered network security system, method and apparatus using dynamic user policy assignment
US20100325700A1 (en) * 2003-08-01 2010-12-23 Brocade Communications Systems, Inc. System, method and apparatus for providing multiple access modes in a data communications network
US20100333191A1 (en) * 2003-09-23 2010-12-30 Foundry Networks, Inc. System and method for protecting cpu against remote access attacks
US7996894B1 (en) * 2005-02-15 2011-08-09 Sonicwall, Inc. MAC address modification of otherwise locally bridged client devices to provide security
US8528071B1 (en) 2003-12-05 2013-09-03 Foundry Networks, Llc System and method for flexible authentication in a data communications network
US20130242967A1 (en) * 2003-03-14 2013-09-19 Canon Kabushiki Kaisha Communication system, information processing device, connection device, and connection device designation method for designating connection device for communication device to connect to
US20160277420A1 (en) * 2015-03-16 2016-09-22 International Business Machines Corporation File and bit location authentication
CN110831003A (en) * 2018-08-13 2020-02-21 广东亿迅科技有限公司 Authentication method and system based on WLAN flexible access network

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100458955B1 (en) * 2002-04-18 2004-12-03 (주) 시큐컴 Security method for the Wireless LAN
GB0325978D0 (en) * 2003-11-07 2003-12-10 Siemens Ag Transparent authentication on a mobile terminal using a web browser
GB0325980D0 (en) * 2003-11-07 2003-12-10 Siemens Ag Secure authentication in a mobile terminal using a local proxy
US7743405B2 (en) 2003-11-07 2010-06-22 Siemens Aktiengesellschaft Method of authentication via a secure wireless communication system
CN100450137C (en) * 2003-11-12 2009-01-07 华为技术有限公司 Realizing method for mobile phone user to access to internet
KR100674632B1 (en) * 2004-07-16 2007-01-26 재단법인서울대학교산학협력재단 Mobile Code Authentication Schemes that Permit Overlapping of Execution and Downloading
EP1635528A1 (en) * 2004-09-13 2006-03-15 Alcatel A method to grant access to a data communication network and related devices
US20060068757A1 (en) * 2004-09-30 2006-03-30 Sukumar Thirunarayanan Method, apparatus and system for maintaining a persistent wireless network connection
FR2876521A1 (en) * 2004-10-07 2006-04-14 France Telecom METHOD FOR AUTHENTICATING A USER, DEVICE USING SUCH A METHOD, AND SIGNALING SERVER
KR100600605B1 (en) * 2004-11-03 2006-07-13 한국전자통신연구원 Apparatus and method for user and terminal data management of portable internet system
US8010994B2 (en) * 2005-05-16 2011-08-30 Alcatel Lucent Apparatus, and associated method, for providing communication access to a communication device at a network access port
US8621577B2 (en) 2005-08-19 2013-12-31 Samsung Electronics Co., Ltd. Method for performing multiple pre-shared key based authentication at once and system for executing the method
KR100729729B1 (en) * 2005-12-10 2007-06-18 한국전자통신연구원 authentication device and method of access point in wireless portable internet system
KR100790495B1 (en) * 2006-03-07 2008-01-02 와이즈와이어즈(주) Authentication Method, System, Server and Recording Medium for Controlling Mobile Communication Terminal by Using Encryption Algorithm
DE102007016117A1 (en) * 2007-04-03 2008-10-16 Siemens Ag Method and system for providing a REL token
JP4928364B2 (en) * 2007-06-25 2012-05-09 日本電信電話株式会社 Authentication method, registered value generation method, server device, client device, and program
WO2009001447A1 (en) * 2007-06-27 2008-12-31 Fujitsu Limited Authentication method, authentication system, authentication device, and computer program
KR100924315B1 (en) * 2007-11-16 2009-11-02 넷큐브테크놀러지 주식회사 Authentification system of wireless-lan with enhanced security and authentifiaction method thereof
KR101065326B1 (en) * 2009-08-06 2011-09-16 국방과학연구소 Method for authenticating the user of web service using physical network address on intranet
KR101133210B1 (en) * 2010-05-22 2012-04-05 오중선 Mobile Authentication System and Central Control System
KR101493214B1 (en) 2012-10-31 2015-02-24 삼성에스디에스 주식회사 Method for password based authentication and apparatus executing the method
WO2014069783A1 (en) * 2012-10-31 2014-05-08 삼성에스디에스 주식회사 Password-based authentication method, and apparatus for performing same
KR101483901B1 (en) * 2014-01-21 2015-01-16 (주)이스트소프트 Intranet security system and method

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6282575B1 (en) * 1997-12-11 2001-08-28 Intel Corporation Routing mechanism for networks with separate upstream and downstream traffic
US20020010857A1 (en) * 2000-06-29 2002-01-24 Kaleedhass Karthik Biometric verification for electronic transactions over the web
US6393484B1 (en) * 1999-04-12 2002-05-21 International Business Machines Corp. System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks
US6396484B1 (en) * 1999-09-29 2002-05-28 Elo Touchsystems, Inc. Adaptive frequency touchscreen controller using intermediate-frequency signal processing
US20020075844A1 (en) * 2000-12-15 2002-06-20 Hagen W. Alexander Integrating public and private network resources for optimized broadband wireless access and method
US20020130764A1 (en) * 2001-03-14 2002-09-19 Fujitsu Limited User authentication system using biometric information
US20020156708A1 (en) * 1998-12-30 2002-10-24 Yzhak Ronen Personalized internet server
US20020194477A1 (en) * 2000-01-28 2002-12-19 Norio Arakawa Device authentication apparatus and method, and recorded medium on which device authentication program is recorded
US6539479B1 (en) * 1997-07-15 2003-03-25 The Board Of Trustees Of The Leland Stanford Junior University System and method for securely logging onto a remotely located computer
US6766454B1 (en) * 1997-04-08 2004-07-20 Visto Corporation System and method for using an authentication applet to identify and authenticate a user in a computer network
US7047408B1 (en) * 2000-03-17 2006-05-16 Lucent Technologies Inc. Secure mutual network authentication and key exchange protocol
US7487535B1 (en) * 2002-02-01 2009-02-03 Novell, Inc. Authentication on demand in a distributed network environment

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CZ20014168A3 (en) * 1999-05-21 2002-05-15 International Business Machines Corporation Process and apparatus for initialization of safeguarded communication and for creating exclusive couples pairs of wireless devices
US7174564B1 (en) * 1999-09-03 2007-02-06 Intel Corporation Secure wireless local area network
KR20010083377A (en) * 2000-02-11 2001-09-01 박순규 User-Server Identity Authentication Using System Information
FI111119B (en) 2000-05-26 2003-05-30 Radionet Oy Ab Ltd Method and equipment for data transfer
JP2001346257A (en) 2000-06-01 2001-12-14 Akesesu:Kk Security system for portable wireless terminal, portable wireless terminal, and recording medium for recording program for security
KR100438155B1 (en) * 2001-08-21 2004-07-01 (주)지에스텔레텍 Wireless local area network sytem and method for managing the same

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6766454B1 (en) * 1997-04-08 2004-07-20 Visto Corporation System and method for using an authentication applet to identify and authenticate a user in a computer network
US6539479B1 (en) * 1997-07-15 2003-03-25 The Board Of Trustees Of The Leland Stanford Junior University System and method for securely logging onto a remotely located computer
US6282575B1 (en) * 1997-12-11 2001-08-28 Intel Corporation Routing mechanism for networks with separate upstream and downstream traffic
US20020156708A1 (en) * 1998-12-30 2002-10-24 Yzhak Ronen Personalized internet server
US6393484B1 (en) * 1999-04-12 2002-05-21 International Business Machines Corp. System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks
US6396484B1 (en) * 1999-09-29 2002-05-28 Elo Touchsystems, Inc. Adaptive frequency touchscreen controller using intermediate-frequency signal processing
US20020194477A1 (en) * 2000-01-28 2002-12-19 Norio Arakawa Device authentication apparatus and method, and recorded medium on which device authentication program is recorded
US7047408B1 (en) * 2000-03-17 2006-05-16 Lucent Technologies Inc. Secure mutual network authentication and key exchange protocol
US20020010857A1 (en) * 2000-06-29 2002-01-24 Kaleedhass Karthik Biometric verification for electronic transactions over the web
US20020075844A1 (en) * 2000-12-15 2002-06-20 Hagen W. Alexander Integrating public and private network resources for optimized broadband wireless access and method
US20020130764A1 (en) * 2001-03-14 2002-09-19 Fujitsu Limited User authentication system using biometric information
US7487535B1 (en) * 2002-02-01 2009-02-03 Novell, Inc. Authentication on demand in a distributed network environment

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7024690B1 (en) * 2000-04-28 2006-04-04 3Com Corporation Protected mutual authentication over an unsecured wireless communication channel
US20040054798A1 (en) * 2002-09-17 2004-03-18 Frank Ed H. Method and system for providing seamless connectivity and communication in a multi-band multi-protocol hybrid wired/wireless network
US20130242967A1 (en) * 2003-03-14 2013-09-19 Canon Kabushiki Kaisha Communication system, information processing device, connection device, and connection device designation method for designating connection device for communication device to connect to
US9161220B2 (en) * 2003-03-14 2015-10-13 Canon Kabushiki Kaisha Communication system, information processing device, connection device, and connection device designation method for designating connection device for communication device to connect to
US20090260083A1 (en) * 2003-05-21 2009-10-15 Foundry Networks, Inc. System and method for source ip anti-spoofing security
US8245300B2 (en) 2003-05-21 2012-08-14 Foundry Networks Llc System and method for ARP anti-spoofing security
US8918875B2 (en) 2003-05-21 2014-12-23 Foundry Networks, Llc System and method for ARP anti-spoofing security
US8533823B2 (en) 2003-05-21 2013-09-10 Foundry Networks, Llc System and method for source IP anti-spoofing security
US20090265785A1 (en) * 2003-05-21 2009-10-22 Foundry Networks, Inc. System and method for arp anti-spoofing security
US20040255154A1 (en) * 2003-06-11 2004-12-16 Foundry Networks, Inc. Multiple tiered network security system, method and apparatus
US8249096B2 (en) 2003-08-01 2012-08-21 Foundry Networks, Llc System, method and apparatus for providing multiple access modes in a data communications network
US20100325700A1 (en) * 2003-08-01 2010-12-23 Brocade Communications Systems, Inc. System, method and apparatus for providing multiple access modes in a data communications network
US8681800B2 (en) 2003-08-01 2014-03-25 Foundry Networks, Llc System, method and apparatus for providing multiple access modes in a data communications network
US20100223654A1 (en) * 2003-09-04 2010-09-02 Brocade Communications Systems, Inc. Multiple tiered network security system, method and apparatus using dynamic user policy assignment
US8239929B2 (en) * 2003-09-04 2012-08-07 Foundry Networks, Llc Multiple tiered network security system, method and apparatus using dynamic user policy assignment
US20100333191A1 (en) * 2003-09-23 2010-12-30 Foundry Networks, Inc. System and method for protecting cpu against remote access attacks
US8893256B2 (en) 2003-09-23 2014-11-18 Brocade Communications Systems, Inc. System and method for protecting CPU against remote access attacks
US8528071B1 (en) 2003-12-05 2013-09-03 Foundry Networks, Llc System and method for flexible authentication in a data communications network
US20090031395A1 (en) * 2004-09-13 2009-01-29 Xcomm Box, Inc. Security system for wireless networks
US20060059538A1 (en) * 2004-09-13 2006-03-16 Xcomm Box, Inc. Security system for wireless networks
US7904952B2 (en) 2004-10-12 2011-03-08 Bce Inc. System and method for access control
US20060080534A1 (en) * 2004-10-12 2006-04-13 Yeap Tet H System and method for access control
US7991151B2 (en) * 2004-11-04 2011-08-02 France Telecom Method for secure delegation of calculation of a bilinear application
US20070260882A1 (en) * 2004-11-04 2007-11-08 David Lefranc Method for Secure Delegation of Calculation of a Bilinear Application
US7996894B1 (en) * 2005-02-15 2011-08-09 Sonicwall, Inc. MAC address modification of otherwise locally bridged client devices to provide security
US20070174906A1 (en) * 2005-11-15 2007-07-26 Credant Technologies, Inc. System and Method for the Secure, Transparent and Continuous Synchronization of Access Credentials in an Arbitrary Third Party System
US20160277420A1 (en) * 2015-03-16 2016-09-22 International Business Machines Corporation File and bit location authentication
US9674203B2 (en) * 2015-03-16 2017-06-06 International Business Machines Corporation File and bit location authentication
CN110831003A (en) * 2018-08-13 2020-02-21 广东亿迅科技有限公司 Authentication method and system based on WLAN flexible access network

Also Published As

Publication number Publication date
CN1445963A (en) 2003-10-01
CN1206838C (en) 2005-06-15
EP1345386A3 (en) 2004-02-04
DE60313910T2 (en) 2008-01-17
EP1345386A2 (en) 2003-09-17
JP2003289301A (en) 2003-10-10
JP3863852B2 (en) 2006-12-27
KR100883648B1 (en) 2009-02-18
DE60313910D1 (en) 2007-07-05
EP1345386B1 (en) 2007-05-23
KR20030075224A (en) 2003-09-26

Similar Documents

Publication Publication Date Title
US20030177350A1 (en) Method of controlling network access in wireless environment and recording medium therefor
US8726022B2 (en) Method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely
EP1422875B1 (en) Wireless network handoff key
JP4615892B2 (en) Performing authentication within a communication system
US9009479B2 (en) Cryptographic techniques for a communications network
JP4160049B2 (en) Method and system for providing access to services of a second network through a first network
US20030084287A1 (en) System and method for upper layer roaming authentication
US20090100262A1 (en) Apparatus and method for detecting duplication of portable subscriber station in portable internet system
CN1444362A (en) Distribution method of wireless local area network encrypted keys
JP2004164576A (en) Method and system for authenticating user in public wireless lan service system, and recording medium
US8788821B2 (en) Method and apparatus for securing communication between a mobile node and a network
JP3792648B2 (en) Wireless LAN high-speed authentication method and high-speed authentication method
US20050144459A1 (en) Network security system and method
JPH11331181A (en) Network terminal authenticating device
JP4677784B2 (en) Authentication method and system in collective residential network
CN1301608C (en) Method for implementing peer-to-peer WLAN with center certification
JP4169534B2 (en) Mobile communication service system
WO2001037477A1 (en) Cryptographic techniques for a communications network
EP3439260B1 (en) Client device ticket
Pastrone Fast Authentication in Heterogeneous Wireless Networks

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LEE, KYUNG-HEE;REEL/FRAME:013855/0019

Effective date: 20030305

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION